Should I seed Identity database with Roles or Claims of type Role?

0
votes

I am writing an ASP.NET Core 1.1 web application. Now I am trying to setup my database so that it is ready for use but I am stomped at something that seems basic...

I am pretty familiar with Roles and somewhat with Claims. I know I can create a Claim of type ClaimTypes.Role. But when I am going to seed my Identity database with users, roles, etc. I am not clear on these items:

  • Should I just create standard Roles using RoleManager only?
  • Should I create a Claim of ClaimTypes.Role only?
  • Should I do both for the system to work?

For example, I want to have roles Admin, Owner, Employee and Plain.

Admin
    identity:full
Owner
    identity:medium
    billing:full
Employee
    identity:low
    billing:view
Plain
    identity:low

By the way, the roles I want to create (each having one or more permissions as claims) should be valid for use in authorization (with the Authorize attribute on the controller).

1
asp.net-coreasp.net-core-mvcasp.net-identityclaims-based-identityasp.net-identity-3
This is very subjective question - all depends on your requirements.trailmax

1 Answers

2
votes

In my opinion - If you starting new project use Claims only.

Perhaps it's easier to understand and use the Roles using RoleManager, but Claims are more generic, flexible and powerful.

Claims are a little bit harder to start, but then they are very easy to use, especially in the custom policy-based authorization or authorization handlers (for example in a resource-based authorization).


Please read more:


And small example how to create a custom policy using the Claims:

In Startup.cs

services.AddAuthorization(options =>
{
    options.AddPolicy("Employee", p =>
    {
        p.RequireAuthenticatedUser();
        p.RequireClaim(ClaimTypes.Role, "Employee");
        p.Build();
     });
});